Embed Size (px)
Citation preview
Contact us
Vipaphan Chatupromwong, DirectorE: [email protected]
Pattaraporn Kaiboriboon, ManagerE: [email protected]
Importance
Scope of applicability
PDPA key compliance
Why the PDPA matter?
Liabilities under the PDPA
Within 27 May 2020
• Fine up to THB 5 million• Imprisonment up to 1 year• Compensation for actual damages plus punitive damages up to twice the amount of the actual damages
• All organizations established in Thailand • Organizations outside of Thailand which collect, use, disclose and/ or transfer personal data of individuals in Thailand.
• Directors and other responsible persons could also be liable if the offender is a juristic person
Data Protection Committee, Ministry of Digital Economy and Society
Deadline for compliance
Supervisory authority
Who may will haveto comply?
• Personal data – any data that could, directly or indirectly, identify an alive person, including customers, employees, suppliers, business partners, etc.
• Sensitive personal data – e.g. racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, health data, genetics/ biological data, etc.
What type of datais protected?
• Consent must be obtained for any collection, use, disclosure and/or transfer of personal data, except others as permitted by laws.
• Consent (if required) must be freely given, speci�c, informed and unambiguous, and can be withdrawn by the personal data owner.
• Privacy notice at the time of collection, e.g. purpose(s) of the collection, any potential disclosure/transfer of personal data, etc.
Certain key protectionmethods
How to start?
• Use and disclosure must be in line with the purpose(s) as consented by the owner. • Transfer of personal data to foreign country must comply with the PDPA’s requirements.
• To ensure the persons’ rights under the PDPA, including the right to data portability and the right to erasure.• To protect personal data with appropriate security measures.• Data Protection Of�cer could be required for organizations that process personal data at a large scale, or process sensitive personal data.• A registry documenting all personal data processing activities must be maintained.• To notify data breaches to the Data Protection Committee within 72 hours, along with data subjects in case of high risks for them.• Data controllers must ensure that sub-contractors/processors comply with the PDPA.
• Review the legal basis for your data processing activities• Ensure that the consent and privacy notice meet the PDPA requirements• Ensure that your contracts with vendors/suppliers/third parties consist of adequate personal data protection provisions • Have appropriate data governance policies and training
Use and disclosure
Other requirements
KPMG Phoomchai Tax Ltd. Empire Tower, 49th Floor, 1 South Sathorn Road, Yannawa, Sathorn, Bangkok 10120, Thailand
T: +66 2677 2000
© 2019 KPMG Phoomchai Tax Ltd., a Thai limited liability company and a member �rm of the KPMG network of independent member �rms af�liated with KPMG InternationalCooperative ("KPMG International"), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
* KPMG Thailand is a member �rm of the KPMG network in the EU which has extensive experience in GDPR.
Thailand’s Personal DataProtection Act (PDPA)
